Skip to content

Commit

Permalink
nfs: Fix security label length not being reset
Browse files Browse the repository at this point in the history
nfs_readdir_page_filler() iterates over entries in a directory, reusing
the same security label buffer, but does not reset the buffer's length.
This causes decode_attr_security_label() to return -ERANGE if an entry's
security label is longer than the previous one's. This error, in
nfs4_decode_dirent(), only gets passed up as -EAGAIN, which causes another
failed attempt to copy into the buffer. The second error is ignored and
the remaining entries do not show up in ls, specifically the getdents64()
syscall.

Reproduce by creating multiple files in NFS and giving one of the later
files a longer security label. ls will not see that file nor any that are
added afterwards, though they will exist on the backend.

In nfs_readdir_page_filler(), reset security label buffer length before
every reuse

Signed-off-by: Jeffrey Mitchell <jeffrey.mitchell@starlab.io>
Fixes: b4487b9 ("nfs: Fix getxattr kernel panic and memory overflow")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
  • Loading branch information
JeffreyMitchellSL authored and Trond Myklebust committed Sep 16, 2020
1 parent 856deb8 commit d33030e
Showing 1 changed file with 3 additions and 0 deletions.
3 changes: 3 additions & 0 deletions fs/nfs/dir.c
Original file line number Diff line number Diff line change
Expand Up @@ -579,6 +579,9 @@ int nfs_readdir_page_filler(nfs_readdir_descriptor_t *desc, struct nfs_entry *en
xdr_set_scratch_buffer(&stream, page_address(scratch), PAGE_SIZE);

do {
if (entry->label)
entry->label->len = NFS4_MAXLABELLEN;

status = xdr_decode(desc, entry, &stream);
if (status != 0) {
if (status == -EAGAIN)
Expand Down

0 comments on commit d33030e

Please sign in to comment.